algorithm 11 mistake mac
dshaw at jabberwocky.com
Wed Jul 8 00:02:42 CEST 2009
On Jul 7, 2009, at 5:32 PM, Robert J. Hansen wrote:
>> [I]t's chopping sha256 down to 224 bits to fit.
> As I understand things, this is largely (almost entirely)
> irrelevant. Am I mistaken?
Possibly. It depends on what you believe it is irrelevant for.
A user using SHA-256 reasonably expects to get 256 bits worth of
hash. It tends to be a surprise that GPG is silently lowering that to
224 bits behind the scenes (especially since the signature still
identifies as SHA-256). It would be unfortunate, particularly on a
public mailing list, to give the impression that using SHA-256 instead
of SHA-224 with a DSA key built for 224 bits actually got you the
requested 256 bits of hash. A more dramatic example would be someone
using SHA-512 with such a DSA key. Despite the massive hash you are
working with, you still only get to use 224 bits of it.
It's an easy mistake to make, as this is not the case for RSA keys,
which use whatever hash you like without any truncations.
Or are you asking if there is there a significant difference between
SHA-256 truncated to 224 bits and straight SHA-224 in terms of hash
strength? If so, no, there really isn't. SHA-224 in fact *is* a
truncated SHA-256 with a different initialization.
More information about the Gnupg-users